Safeguard
Buyer's Guides

PHP Code Review Tools: An Honest 2026 Buyer's Guide

A balanced 2026 comparison of PHP code review and static-analysis tools — PHPStan, Psalm, PHP_CodeSniffer, progpilot, Semgrep, SonarQube — with honest tradeoffs and where Safeguard fits.

Priya Mehta
Analyst
6 min read

PHP still runs a large share of the web, and its code review tooling has matured far beyond the language's old reputation. The modern PHP stack — typed properties, Composer, and framework conventions in Laravel and Symfony — is analyzable in ways the PHP of a decade ago was not. Two tools in particular, PHPStan and Psalm, changed the game by bringing real type inference and, importantly, taint analysis to a dynamically typed language. This guide separates the type/quality tools from the security tools, names the 2026 options honestly, and covers the Composer dependency surface that framework-heavy PHP leans on.

What to look for

  • Type-level analysis is your foundation. PHPStan and Psalm catch a huge class of bugs by inferring types PHP does not enforce at compile time. Raising their strictness level is high-leverage.
  • Taint tracking for injection. PHP's classic risks — SQL injection, XSS, file inclusion — are dataflow problems. You want a tool that traces untrusted input to a dangerous sink, not just pattern matches.
  • Framework awareness. Laravel's Eloquent and Symfony's components have their own safe and unsafe patterns. A framework-blind tool over- and under-reports.
  • Composer dependency risk. Modern PHP is Composer packages all the way down. SCA over your composer.lock is essential.
  • Legacy realism. Much PHP is old. A tool that only works on pristine typed code is useless on the codebase you actually have.

The real tools in 2026

PHPStan is the most widely adopted static analyzer, using configurable "levels" so teams can ratchet strictness upward over time. Its core job is finding type and correctness bugs, and it does that superbly; security taint analysis is available through the community extension rather than the default. Psalm (originally from Vimeo) is the other major analyzer and ships first-class taint analysis — trace input from source to sink — making it one of the strongest free options for detecting injection and XSS in PHP. Tradeoff: both require reasonable type coverage to shine, and taint analysis needs annotation discipline on messy legacy code.

PHP_CodeSniffer and PHP-CS-Fixer handle style and standards (PSR compliance); they are not security tools. progpilot is a dedicated open-source PHP taint-analysis scanner focused specifically on security vulnerabilities — useful, though less actively polished than the big two.

Semgrep brings readable custom rules with PHP support and cross-file taint (deepest rules are commercial). SonarQube / SonarCloud covers quality and security hotspots for PHP and absorbed the RIPS static-analysis technology, which was historically the specialist PHP SAST engine, after that 2021 acquisition; self-hosting is real work. Snyk Code provides commercial AI-assisted SAST across PHP among other languages.

For dependencies, the Local PHP Security Checker and composer audit check your lockfile against advisories; commercial SCA adds prioritization and reachability.

ToolCategoryStrengthWatch-out
PHPStanTypes + correctnessLevel-based ratchetTaint via extension
PsalmTypes + taintBuilt-in taint analysisNeeds type coverage
progpilotSecurity SASTPHP taint-focusedLess polished
PHP_CodeSnifferStylePSR standardsNot security
SemgrepSecurity SASTCustom rules, taintDeep rules paid
SonarQubeQuality + securityReporting, RIPS lineageOps overhead
composer auditSCAFree lockfile checkNo prioritization

How these fit with SCA and reachability

A modern Laravel or Symfony application is mostly Composer packages, and those packages have vulnerability histories of their own. So PHP code review is two problems again: analyzing your first-party code for injection and logic flaws with a taint-aware tool, and analyzing the Composer dependency graph with SCA. Running Psalm's taint analysis but ignoring composer.lock leaves the larger surface unchecked.

And as everywhere, raw SCA over-reports. Your app pulls in packages transitively, and most of their known CVEs sit in code paths you never execute. Reachability analysis walks the call graph to determine which vulnerable functions your application actually reaches, collapsing a long advisory list into the ones that matter. Applied to Psalm or Semgrep findings, it prioritizes the injection paths that touch real request flows first. See how reachability-aware SCA turns a noisy list into a queue.

Where Safeguard fits

Keep PHPStan or Psalm in your pipeline — their type and taint analysis is genuinely strong and belongs in the inner loop. Safeguard sits alongside them to unify first-party SAST findings with reachability-aware SCA over your Composer graph, producing one prioritized queue instead of a Psalm report next to a composer audit dump. It draws on a curated catalog of 500K+ zero-CVE components to replace risky dependencies at the source, and Griffin AI performs autonomous remediation, verified by a model-agnostic step before it opens a pull request — so Auto-Fix delivers a checked fix rather than a hopeful one. For teams running PHP alongside other stacks, having those findings in the same prioritized view as the rest of the estate is the practical win. The $1 Starter plan lets you try it on one real repository, and it runs cloud, on-prem, and air-gapped.

The honest note: for a small, well-typed PHP codebase, Psalm's taint analysis plus composer audit covers a lot. The value of a prioritizing platform grows with legacy volume, transitive dependencies, and finding counts.

Frequently Asked Questions

PHPStan or Psalm — which should I use for security? Psalm ships built-in taint analysis, so for tracing untrusted input to dangerous sinks it is the stronger out-of-the-box security choice. PHPStan is superb for type and correctness bugs, with security taint available through a community extension. Many teams run one for types and add a dedicated security scan on top.

Is composer audit enough for dependency security? It is a useful free baseline that checks your lockfile against known advisories, but it has no prioritization and no reachability, so it reports CVEs in packages your code may never call. Pair it with reachability-aware SCA to focus on the vulnerabilities you can actually trigger.

Can these tools handle legacy, untyped PHP? Partly. PHPStan and Psalm work best with type coverage, and their deepest analysis — including taint tracking — improves as you add annotations. On messy legacy code you will get value at lower strictness levels and can ratchet up over time, but expect more false positives until types improve.

What happened to RIPS for PHP? RIPS was the well-known specialist PHP static-analysis engine; its technology was acquired by SonarSource in 2021 and folded into the Sonar products rather than sold as a standalone PHP scanner today. For dedicated open-source PHP taint analysis now, Psalm and progpilot are the common choices.

Ready to prioritize the PHP findings that matter? Create a free account or read the guides in the Safeguard documentation.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.